Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About jamesw
jamesw
Getting noticed
Member since Oct 12, 2018
2 weeks ago
Community Record
29
Posts
3
Kudos
0
Solutions
Badges
2 weeks ago
So kind of got this working with the mac based control and click through, but unfortunately it doesn't send Accounting Interim packets (only Start and Stop) so that's not great for what we need. When using "Sign on with my RADIUS server" it does send Interim updates as it has for many years. Hmm...
... View more
3 weeks ago
Thanks Rodrigo. This is how most vendors work - if MAC authentication fails (Access-Reject), the user will be redirected to the captive portal page for authentication. If MAC authentication succeeds (Access-Accept) the user is straight online, no captive portal redirect. I understand Meraki do it slightly differently, in that you must always send an Access-Accept else the client will not be able to even join the WLAN, but we still need some way to redirect them to the captive portal so they can register/login etc
... View more
3 weeks ago
Interested to know more on what you use the "Called-Station-Id" for when using the proxy, and why the format can't be changed? 🙂 Thanks
... View more
4 weeks ago
I really don't understand this decision. Why introduce a feature to make it more flexible, then take it away? Is there a technical reason why Meraki can't allow a customised Called-Station-Id format? This means your systems do not match and have no parity. This will mean customers are not able to use the proxy, because it still uses the BSSID as the Called-Station-Id which is not useful. In your previous reply, you state " The change from BSSID to MAC address does now align with the rest of the industry" - but not if using proxy 🤔
... View more
a month ago
What do you mean, you don't support it because you use it? 🙂 If a packet is being proxied from an AP, it should honour the same going through the proxy. If you can customise the NAS-ID when going through the proxy, what's the problem doing the same for Called-Station-Id? This effectively means the proxy is useless as it can't be set to what it needs to be...
... View more
a month ago
We could, but it goes against the reason we exists, because customers don't want to install/set up anything that they don't already have. So, we can generally work with any wireless kit just by running our captive portal and RADIUs in the cloud, at no cost or extra software/hardware installed on the customers site.
... View more
a month ago
I see your point, but the problem is we are not a "customer" but a service provider. We don't own the kit, or install it, or have access to the setup on site. We provide a cloud captive portal/authentication/analytics service, so, it's not easy to ask our customers to configure site-so-site to us as we have thousands of Meraki customers around the globe using our solution and for now, we still can't support MAC authentication with captive portal bypass.
... View more
a month ago
Hi Rodrigo Correct, on the Access Control page. This is what I have set: Association requirements : MAC-based access control Splash page : None or Click-through Scroll down to the RADIUS options and set: RADIUS CoA support: Unchecked RADIUS proxy: Checked You'll see when you enable the RADIUS proxy option, the new Called-Station-Id option disappears but the NAS-ID option is there! Thanks
... View more
a month ago
Thanks for the reply! We're not using any kind of strange design, nowhere in the documentation does it mention or indicate that you must use a local, on-site based ISE server. Everything is moving off-site to the cloud, including the way Meraki has worked from day one - they are a cloud controller and RADIUS server, with just the AP's on site. In reality, we're doing no different by hosting our RADIUS server in the cloud, it's just that there seems to be an expectation that an ISE server locally which isn't practical when you are a large service provider. Therefore, I feel Meraki should make it possible to proxy this traffic/feature or at least some API service so that we can send the CoA to the Meraki cloud, which can then send the signal direct to the relevant AP, without any firewall/port forward mess. The problem actually arises because Meraki are the only vendor I know that do not support MAC authentication with proper captive portal bypass. They do not allow you to select both MAC-based access control along with splash sign on via RADIUS server. So, their recommendation is to use the ISE option, which, in its current state, is one step forward and two steps back 🙂
... View more
a month ago
Thanks Rodrigo! This is also a similar query - wondering if you might be able to answer? https://community.meraki.com/t5/Wireless-LAN/Mac-based-authentication-with-ISE-cloud-RADIUS-server-and-CoA/m-p/119165#M17008 Thanks James
... View more
a month ago
We're testing out the following: Association requirements: MAC-based access control Splash page: Cisco Identity Services Engine (ISE) Authentication We run a cloud RADIUS server which acts as the ISE in terms of the RADIUS handling. So the flow currently works like this: Client associates to SSID Local AP sends Access-Request to configured RADIUS cloud server IP Our RADIUS replies with an Access-Accept and a Cisco-AVPair redirect url Client is redirected to our splash page URL and registers etc All good up until this point, but the problem is that to get the user online, we have to send a CoA request back to the local AP from our cloud RADIUS. Whilst we can open the firewall and perform a port forward to the AP, this only works if there is a single AP. More than one AP, and the solution falls over because you can't externally access all the different AP's using a single port forward. Why can't Meraki allow the RADIUS proxy option to work with this setup? For true captive portal authentications we can send a CoA back to the Meraki cloud which in turn authenticates the user on the local AP. But for ISE, it disables the RADIUS proxy option. Not everyone runs a local RADIUS server! Does anyone know an alternative way of achieving MAC authentication AND external captive portal fall-back? Thanks J
... View more
a month ago
Thanks, can you elaborate any further? Do we need to set up a new SSID in Meraki and use the same VLAN ID, or can it use the same SSID? What SSID should we configure the splash page settings/RADIUs for in case of the MAC authentication being rejected? It seems a strange way of doing it...
... View more
05-21-2021
03:27 PM
Something I noticed... when you enable the RADIUS proxy option, the setting for the Called-Station-Id format disappears, but the NAS-ID format option is there.. this seems a little odd and I don't understand why you still can't set both? Without proxy: With proxy: Bug, or something else? Thanks J
... View more
05-21-2021
07:24 AM
In the UI, you can select: Association: MAC-based access control Splash page: Click through It accepts this and all is okay (I know you can't use sign on with RADIUS and MAC-based access control together) However, how does this work in practice? I would expect, that is the RADIUS server replies with an Access-Reject, the end user will then be redirected to the configured click through splash URL, and if Access-Accept, the end user will be straight online without any splash authentication required. But, it seems to not work like this. If you do Access-Reject, it doesn't allow the device even to associate. If you do Access-Accept, the user is connected with no click through splash redirect and has full Internet. So, how do you actually get it to redirect someone to the splash page? Thanks J
... View more
05-20-2021
10:27 AM
Brilliant so what you are confirming is that in MR28, by default, without the customer logging in and making a change, it will now start sending the AP MAC address in the Called-Station-Id by default (unless configured otherwise), and now include the NAS-ID and the two extra Meraki vendor specific attributes? 😁
... View more
05-20-2021
01:40 AM
2 Kudos
Having tested the new MR28 release it now sets the Called-Station-Id to the AP MAC address, and also includes a couple of extra attributes by default so that's great.
... View more
05-20-2021
01:13 AM
1 Kudo
Thanks Rodrigo A couple of observations: On our existing WPA2 enterprise SSID, after upgrading to MR28, it started using the new Called-Station-Id settings without me setting/changing anything on the Meraki dashboard. Also, when I created a new SSID and set it to MAC-based control only, and configured basic radius servers, it too automatically uses the new Called-Station-Id settings without me setting anything. It seems the default setting for both Called-Station-Id and NAS-ID is "AP MAC address::SSID Name" / "AP MAC address::SSID Number" respectively - is this correct? (This is good for us, not complaining!) Prior to MR28, when I connect to the SSID, it sent the following packet: User-Name = "112233445566"
User-Password = ""
NAS-IP-Address = 0.0.0.0
Called-Station-Id = "0C-8D-DB-11-22-33:Free_WiFi"
Calling-Station-Id = "99-88-77-66-55-44"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b" and since MR28 we now see: User-Name = "112233445566"
User-Password = ""
NAS-IP-Address = 192.168.1.89
++ Service-Type = Call-Check
>> Called-Station-Id = "0C-8D-DB-11-22-33:Free_WiFi"
Calling-Station-Id = "99-88-77-66-55-44"
>> NAS-Identifier = "0C-8D-DB-11-22-33:vap1"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
++ Meraki-Device-Name = "0c:8d:db:11:22:33"
++ Meraki-Network-Name = "Test - wireless" The lines marked >> are the new, configurable ones and the ones with ++ are now being included as extra, which is great. Is this what is to be expected? Does this mean that once a customer upgrades to MR28, it will automatically start sending the new extra attributes, and changes the Called-Station-Id and NAS-ID to the default format as per above (which is much better than sending the BSSID MAC) Again, not a complaint (been waiting for this for years), just ensuring I have my facts correct. Thanks, James
... View more
05-19-2021
12:28 PM
Great - can you tell me, the new RADIUS options for Called-Station-Id and NAS-ID, what RADIUS requests do they affect? Does it change all RADIUS traffic, even Captive portal RADIUS, or just 802.1x. Is MAC authentication also included? At present, without setting any of the new options, captive portal RADIUS traffic uses the AP MAC address as the Called-Station-Id, but 802.1x and MAC authentication uses the BSSID MAC instead. Thanks, James
... View more
05-19-2021
04:49 AM
Hi Alexander Might you be able to provide some more detail/documentation around this in particular: [New] RADIUS enhancements (e.g., NAS-ID configuration, Called-Station ID configuration) Thanks, J
... View more
05-19-2021
04:40 AM
Thanks for your reply, and appreciate you updating the article in the past. So, if what you're saying is correct, this would affect MAC authentication requests too, or just 802.1x (WPA-enterprise)? What about captive portal authentication, which already sends the real AP MAC address as Called-Station-Id? What is the purpose of the option to add multiple choices for the Called-Station-Id and NAS-ID? Is this to append more than one to the attribute value (with a delimiter?), e.g. if I select #1 as AP MAC address and then #2 as SSID name it would send: Called-Station-Id = 00-18-0A-11-22-33:SSIDName This is definitely welcomed news, providing it doesn't mess up the existing Captive portal Called-Station-Id setup which is already good. Finally, I just wish Meraki are able to send some better attributes in the 802.1x/Mac auth Access-Request, as it's so basic. Even the accounting packet has a lot more, but not the Access-Request: Access-Request (1), id: 0xdd, Authenticator: f07ee2f820b20568bd6bc3fdd7625fc2
User-Name Attribute (1), length: 14, Value: 001122334455
User-Password Attribute (2), length: 18, Value:
NAS-IP-Address Attribute (4), length: 6, Value: 192.168.96.6
Called-Station-Id Attribute (30), length: 44, Value: 8A-15-14-AF-9A-A8:SSID
NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
Calling-Station-Id Attribute (31), length: 19, Value: 00-11-22-33-44-55-66 If it could include some of the same attributes like the Accounting request, for example the Meraki Vendor Specific like AP Name or even something that at least tells me its from a Meraki AP that would be good. This way I don't have to rely on figuring out BSSID's. Thanks! J
... View more
05-15-2021
02:14 AM
Just wondering if anyone can find out this for me? Thanks! J
... View more
05-12-2021
03:17 PM
Basically, we are a service provider, so our customers/partners sign up to our service and configure their Meraki APs (via the dashboard) to point to our splash page and RADIUS etc. Wi-Fi providers often license per AP, so the unique identifier of an AP is it's real MAC address. Therefore, a customers Meraki AP MAC addresses are registered on our RADIUS server and we only allow traffic from these. So, when an end user connects to the SSID on the AP, it will perform RADIUS authentication against our RADIUS server. For some reason, Meraki decided to send the BSSID instead of the real AP MAC, in the Called-Station-Id attribute, and thus we cannot authenticate the user because this BSSID is unknown to us, we only know the AP MAC of our customer APs. However, when a customer adds their Meraki AP MAC addresses to our system, we run a script that automatically generates all the possible BSSID combinations for each real AP MAC address. Thus, when we receive this BSSID in the RADIUS request, we can allow it because we know it. The problem arises for us now, because Meraki are no longer sharing how the BSSIDs on their newer MAC address ranges (in the original post) are being calculated, so we can't whitelist them on our RADIUS server. I hope this makes sense 🙂 I just wish Meraki would send the real AP MAC address in the Called-Station-Id attribute like everyone else, and then we don't have to care about BSSID's full stop.
... View more
05-12-2021
02:30 PM
Thanks! I'm concerned that they won't "update" it, as per the note on the article: Status information about each SSID advertised by an access point, including each BSSID, can also be found using the Dashboard API or using the AP details page. Please use APIs/dashboard as a primary way to retrieve BSSID information.
No new BSSID values will be added to this article moving forward. But, this needs consideration, as Wi-Fi operators need to know how these BSSID's are being calculated. Why Meraki can't just send the real AP MAC in the RADIUS Called-Station-Id attribute, like other vendors, is beyond me. (They do for captive portal splash sign on, just not for MAC authentication/802.1x where they send the BSSID instead)...
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 186 | |
| 1 | 1053 |
